
INSPECTOR GENERAL 

DEPARTMENT OF DEFENSE 

4800 MARK CENTER DRIVE 
ALEXANDRIA, VIRGINIA 22350-1500 


October 4, 2019 
Ref: FOIA-2016-00048 


SENT VIA EMAIL TO: 21270-23321484@requests.muckrock.com 

Mr. Patrick H. O’Neill 
MuckRock 
DEPT MR 21270 
P.O.Box 55819 
Boston, MA 02205-5819 

Dear Mr. O’Neill: 

This responds to your Freedom of Information Act (FOIA) request for a copy of report 
DODIG-2015-168, (U) Air Force Commands Need to Improve Logical and Physical Security 
Safeguards that Protect SIPRNet Access Points. We received your request on October 15, 2015, 
and assigned it case number FOIA-2016-00048. 

The Office of the Deputy Inspector General for Audit conducted a search and found the 
enclosed record responsive to your request. In coordination with the Department of the Air 
Force, we determined that redacted portions are exempt from release pursuant to the following 
FOIA exemptions: 

• 5 U.S.C. § 552 (b)(1), which pertains to information that is currently and properly 
classified pursuant to Executive Order 13526, Section 1.4(g), as it relates to 
vulnerabilities or capabilities of systems, installations, infrastructures, projects, plans, 
or protection services relating to the national security; 

• 5 U.S.C. § 552 (b)(3), which pertains to information exempted from release by 
statute, in this instance 10 U.S.C. § 130e - Department of Defense critical 
infrastructure security information (DCRIT). Specifically, portions redacted under 
this statute contain sensitive but unclassified information related to the Department of 
Defense Information Network, which has been deemed to qualify as DCRIT by the 
Chief Management Officer of the Department of Defense; 

• 5 U.S.C. § 552 (b)(5), which pertains to certain inter-and intra-agency 
communications protected by the deliberative process privilege; 

• 5 U.S.C. § 552 (b)(6), which pertains to information, the release of which would 
constitute a clearly unwarranted invasion of personal privacy; and 

• 5 U.S.C. § 552 (b)(7)(E), which pertains to records or information compiled for law 
enforcement purposes, the release of which would disclose techniques and procedures 
for law enforcement investigations or prosecutions. 
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If you consider this an adverse determination, you may submit an appeal. Your appeal, if 
any, must be postmarked within 90 days of the date of this letter, clearly identify the 
determination that you would like to appeal, and reference to the FOIA case number above. 

Send your appeal to the Department of Defense, Office of Inspector General, ATTN: FOIA 
Appellate Authority, Suite 10B24, 4800 Mark Center Drive, Alexandria, VA 22350-1500, or via 
facsimile to 571-372-7498. For more information on appellate matters and administrative appeal 
procedures, please refer to 32 C.F.R. Sec. 286.9(e) and 286.11(a). 

You may contact our FOIA Public Liaison at FOI APublicLiaison@dodi g. mil or by 
calling 703-604-9785, for any further assistance with your request. Additionally, you may 
contact the Office of Government Information Services (OGIS) at the National Archives and 
Records Administration to inquire about the FOIA mediation services they offer. The contact 
information for OGIS is as follows: Office of Government Information Services, National 
Archives and Records Administration, 8601 Adelphi Road-OGIS, College Park, Maryland 
20740-6001, e-mail at ogis@nara.gov : telephone at 202-741-5770; toll free at 1-877-684-6448; 
or facsimile at 202-741-5769. However, OGIS does not have the authority to mediate requests 
made under the Privacy Act of 1974 (request to access one’s own records). 

If you have any questions regarding this matter, please contact this office at 
703-604-9775 or via email to foiarequests@dodig.mil . 


Sincerely, 



Searle Slutzkin 
Division Chief 

FOIA, Privacy and Civil Liberties Office 
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Mission 

Our mission is to provide independent, relevant, and timely oversight 
of the Department of Defense that supports the warfighter; promotes 
accountability, integrity, and efficiency; advises the Secretary of 
Defense and Congress; and informs the public. 


Vision 

Our vision is to be a model oversight organization in the Federal 
Government by leading change, speaking truth, and promoting 
excellence—a diverse organization, working together as one 
professional team, recognized as leaders in our field. 
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September 3,2015 


Objective 


(U) Our audit objective was to determine 
whether the Air Force was effectively 
protecting its Secret Internet Protocol 
Router Network (SIPRNet) access 
points. Specifically, we reviewed the 
security safeguards that protect 
SIPRNet access points a j 


(U) Findings (cant'd) 


fSRSl(i»M I). M(g): (b)(3). 10 use 5} 130e: (b)(7)(b) 


1 (b) (J). louse * uoe. (h) (/)(l) 


( P9U0] 


in accordance with applicable DoD and 

A-- --i —_ 




n)(J). 10 list vj 130c. (h)(7)(b) 
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Results in Brief 


(U) Air Force Commands Need to Improve Logical and Physical 
Security Safeguards That Protect SIPRNet Access Points 




(U) The Commander, U.S. Cyber Command; Director, 
Defense Information Systems Agency; and 
Commander,addressed the specifics of 
the recommendations. 

(U) Comments from the Air Force Chief, Information 
Dominance CIO; Commander,^^^^^^^^^^J|^B ; 
and Commander, l^^^^^^^^^fpartially addressed 
the recommendations. We request they provide additional 
comments in response to the final report. In addition, we 
received the Administrative Assistant to the Secretary of 


(U) the Air Force and DoD CIO comments on the draft 
report too late to include them in the final report. 
Therefore, if the Administrative Assistant to the Secretary 
of the Air Force and DoD CIO do not submit additional 
comments, we will consider those comments as the 
management response to the final report. 

(U) The Under Secretary of Defense for Intelligence; 
Commander, Air Force Materiel Command; Commander, 
Air Force Space Command; Commander, Air Force Reserve 
Command ; Commander, 24th Air Force; and Commander, 
did not provide comments to the draft report. 
We request that they respond to the final report. Please 
see the Recommendations Table on the next page. 


SEGRffF 
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(U) Recommendations Table 


Management 

Recommendations 

No Additional 

Requiring Comment 

Comments Required 

Under Secretary of Defense for Intelligence 

A.l 


Administrative Assistant to the Secretary of the 

Air Force 

B.l 


Commander, Air Force Materiel Command 

A.2 


Commander, U.S. Cyber Command 


A.l, A.3 

Commander, Air Force Space Command 

A.4 


Department of Defense Chief Information Officer 

A.l 


Director, Defense Information Systems Agency 


A.3 

Commander, Air Force Reserve Command 

A.2 


Air Force Chief, Information Dominance Chief 
Information Officer 

A.5.a, A.5.b, B.2 


Commander, 24th Air Force 

A.6 


Commander, mmy 


A.7, B.3 

Commander, UUII^I 

A.8.a, A.8.b, B.4.d 

A.8.C, B.4.a, B.4.b, B.4.C 

Commander, 

B.5 

A.9.a, A.9.b, A.9.C 

Commander, 

A.6, A.IO.a, A.IO.b, A.IO.c, 
A.IO.d 



(U) Please provide Management Comments by October 5, 2015. 
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September 3, 2015 


MEMORANDUM FOR UNDER SECRETARY OF DEFENSE FOR INTELLIGENCE 
COMMANDER, U.S. CYBER COMMAND 
DEPARTMENT OF DEFENSE CHIEF INFORMATION OFFICER 
ASSISTANT SECRETARY OF THE AIR FORCE (FINANCIAL 
MANAGEMENT AND COMPTROLLER) 


SUBJECT: Air Force Commands Need to Improve Logical and Physical Controls That 
Protect SIPRNet Access Points (Report No. DODIG-2015-168) 

(S) We are providing this final report for your review and comment. We considered management 
comments on a draft of this report when preparing the final report. The Air Force commands 


(b)(1). (b)(4). IllUSC $ Ode. (b)(7)(E) 



In addition, the Air Force commands 

complete SIPRNet access 
forms; and provide North Atlantic Treaty Organization briefings. We conducted this audit in 
accordance with generally accepted government auditing standards. 


( ■ FQUO) DoD Instruction 7650.03 requires that all recommendations be resolved promptly. The 
Commander, U.S. Cyber Command; Director, Defense Information Systems Agency; and 

addressed the specifics of the recommendations. Comments 

from the Air Force Chief, Information Dominance Chief Information Officer partially addressed 
Recommendation A.5.a and did not address Recommendations A.5.b and B.2. Therefore, we request 
additional comments on these recommendations by October 5, 2015. Comments from the 
Commander,did not address Recommendations A.8.a, A.8.b, and B.4.d. 
Therefore, we request additional comments on these recommendations by October 5, 2015. 
Comments from the Commander,did not address Recommendation B.5. 
Therefore, we request additional comments on these recommendations by October 5, 2015. We 
received the Administrative Assistant to the Secretary of the Air Force and DoD Chief Information 
Officer comments on the draft report too late to include them in the final report. Therefore, if the 
Administrative Assistant to the Secretary of the Air Force and DoD Chief Information Officer do not 
submit additional comments, we will consider those comments as the management response to the 
final report. 


(FOUO) The Under Secretary of Defense for Intelligence; Commander, Air Force Materiel Command; 
Commander, Air Force Space Command; Commander, Air Force Reserve Command; Commander, 
24th Air Force; and Commander, did not provide comments, 

and therefore, may not have taken any actions to correct or mitigate vulnerabilities identified in the 
report. The vulnerabilities identified 
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(FOUO) ||H|||m|^mj||||^^^^^^^^^Jl ^ ls squired that these addressees respond to the 
recommendations in the final report with the actions taken to resolve these vulnerabilities by 
October 5,2015. 


(U) Please send a PDF file containing your comments to and 

Copies of your comments must have the actual signature of the 
authorizing official for your organization. We cannot accept the /Signed/ symbol in place of the 
actual signature. If you arrange to send classified documents electronically, you must send them 
over the SIPRNet. 


(U) We appreciate the courtesies extended to the staff. Please direct questions to 


lib) K<) plIiTTiiT 



Carol Gorman 

Assistant Inspector General 
Readiness and Cyber Operations 
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Introduction 


(U) Introduction 

(U) Objective 

(U) Our audit objective was to determine whether the Air Force was effectively 
protecting its Secret Internet Protocol Router Network (SIPRNet) access points. 
Specifically, we reviewed the security safeguards that protected the SIPRNet access 
points at selected locations. This is the second in a series of audits to review the 
safeguards implemented by the Military Departments to protect SIPRNet access points. 
See Appendix A for our scope and methodology. 


(■ FOUO) SIPRNet access points are all possible physical or logical connections where a 
user can access SIPRNet. Physical safeguards such as locks, guards, and security 
containers deter or delay adversaries' access to the network. Logical safeguards are 
system-based mechanisms such as firewalls, permission settings, usernames and 
passwords, and SIPRNet tokens that are used to designate who or what has access to a 
specific system or function. Air Force Space Command manages the Air Force SIPRNet, 
and 24th Air Force operates the network. 


( FQUQ) All Air Force bases connect to SIPRNet throughjitijaccess points called 


Gateways. JjjUGateways are located in the continental United States and Util are 
outside the continental United States. The Gateways control all network traffic in and 
out of the Air Force SIPRNet. 2 The data management responsibilities for SIPRNet are 
decentralized and divided among multiple squadrons that are subordinate to 
24th Air Force and various Air Force major commands. 



(U ) 1 Gateways are the entry and exit points for data to and from the SIPRNet. 

(U ) 2 The SIPRNet connects the Air Force classified enclaves to the Defense Information Systems Network. 

(U ) 3 Firewalls refer to hardware and software that limits access between networks or systems (or both) in accordance with 
a specific security policy. 

(U ) 4 Network defense devices include equipment used to monitor, detect, analyze, and respond and restore activities. 
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Introduction 


(FOUO) The Gateways provide SIPRNet connection to the enclaves, 5 which support 
approximately 75,000 SIPRNet users. Figure 1 shows the flow of data between the 
access points, enclaves, and Gateways, and the squadrons that manage the SIPRNet. 



[Uj Figure 1: Air Force SIPRNet Data Flow and Data Management Responsibilities 


|(l» (7|(F) 


(fOUOj 


(i»<7)(ri 


(rouo ) 


(U ) 5 Enclaves are a collection of information systems connected by one or more internal networks under the control of a 
single authority and security policy. 

(U ) 6 The perimeter of a network encompasses all network components that are to be accredited by the designated 
accrediting authority. 

(U ) 7 Host Based Security System is an application that monitors, detects, and cour 


(U) 8 The communications squa 


responsible for each base we reviewed were 
ommunications Squadron atlUIttiyM, and 



ainst known cyber threats, 
iommunications Squadron at 
ommunications Squadron at 


secret 
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Introduction 


(FOUO] We reviewed physical and logical safeguards for SIPRNet access points at the 



(U) Vulnerability Categories 

(U] DoD guidance 9 requires all vulnerabilities identified during Information 
Assurance (IA] control validation 10 be corrected or mitigated or that the risk be 
accepted. In addition, DoD Components 11 are required to report vulnerabilities on the 
Information Technology (IT] Security Plan of Action and Milestones (POA&M] before 
they grant an authorization to operate (ATO). 12 The IT Security POA&M assists agencies 
to identify, assess, prioritize, and monitor the DoD network's vulnerabilities and should 
include the actions performed to correct or mitigate the vulnerabilities. The 
IT Security POA&M should include the vulnerability and an assigned vulnerability 
severity category (CAT). 

(U) CAT I vulnerabilities are assigned to findings that allow primary security 
protections to be bypassed, which allow immediate access by unauthorized personnel. 
Before an ATO is granted, all CAT I vulnerabilities are required to be corrected. For new 
CAT I vulnerabilities, the system can continue to operate on the network only if the 
designated accrediting authority certifies in writing that continued system operation is 
critical to mission accomplishment and the DoD Component Chief Information 
Officer (CIO] authorizes the system to continue to operate. Otherwise, the system must 
be disconnected from the SIPRNet. 


(U) 9 DoD Instruction 8510.01, "DoD Information Assurance Certification and Accreditation Process (DIACAP)," 

November 28, 2007. The authorizations to operate for | 
issued under DoD Information Assurance Certification and Accreditation Process for up to three years and are 
applicable until recertification. 

(U) 10 Validation confirms or establishes by testing, evaluation, examination, investigation, or competent evidence that a 
DoD information system assigned information assurance controls are implemented correctly. 

(U) 11 DoD Components include Combatant Commands, Services, Agencies, and Field Activities. 

(U) 12 Authorization to operate is an authorization granted by a designated accrediting authority for a DoD information 
system to process, store, or transmit information; an authorization to operate indicates a DoD information system 
has adequately implemented all assigned IA controls to the point where residual risk is acceptable to the designated 
accrediting authority. 


(b)(7)(E) 
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Introduction 


DoD Instruction 5010.40, "Managers' Internal Control Program (MICP) Procedures,” 
May 30, 2013, requires DoD organizations to establish a program to review, assess, and 
report on the effectiveness of internal controls. We identified internal control 
weaknesses for 24th Air Force andlj^^^H. Specifically, 


.13 We will provide a copy of the report to 
the senior official responsible for internal controls at 24th Air Force and^^^^|. 


£6} We also identified internal control weaknesses for 

. Specifically, 
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Finding A 


(U) Finding A 



(FOUO) The Air Force 


1(b)(3). Ill USC'5 13Ho. (b)(7)(E) 



Specifically: 





(FOUO) 



Communications Squadron (CS), 

(b)(7)(E) 

, and 

(b)(7)(E) 


CS, 


(b)(3). m use § I30e: (b)(7)(E) 


(l>)<3). 10 USe $ I30e: (b)(7)(E) 



This occurred because jraBU CS 
andittliid CS 


<b> (7)(Ii> »5»H(b)<3). louses I30e. (b)(7)(E) 



(h)(1). I •)<!•): (b)(3). 1(1 use 5 1 3Ue. (b)(7)(E) 


I 


(U) 15 Port security solutions are any method used to electronically lock network ports so that only approved devices can use 
the port. 

(U) 16 Removable media are items such as compact discs, digital video disc, secure digital cards, tape, flash memory data 
storage devices, diskettes, multi-media cards, and external hard drives. 


(l iiOUO) 17 For this report. 
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were issued under DIACAP for 


(U) 23 Boundary protection is monitoring and controlling communications at the external boundary of an information system 
to prevent and detect malicious and other unauthorized communications. 

(U) 24 The authorizations to operate for 

up to three years and are applicable until recertification. 

(U) 25 For the DIACAP, see Appendix B. 

(U) 26 The Air Force Space Command submits Air Force ATOs to the Defense Information Systems Agency for approvals to 
connect to the Defense Information Systems Network. 
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. After our site visit, 
. The Commander, 

Air Force Materiel Command and Commander, Air Force Reserve Command should 
review the bases under their command and implement a 
if needed. 


10 use * (h)</)(!:) 



(U) 27 Depending on where the Air Force ATOs are in the certification process will determine if the DIACAP or Risk 
Management Framework for DoD Information Technology applies. The Transition from the DIACAP to the Risk 
Management Framework for DoD Information Technology must not exceed the system re-authorization timeline. 

(U) 28 Defense Information Systems Agency, "Access Control in Support of Information Systems," Security Technical 
Implementation Guide, Version 2, Release 3, October 29, 2010. 

(U) 29 The Category I vulnerabilities were identified on the November 2014, December 2014, January 2015, February 2015, 
and March 2015 Assured Compliance Assessment Solution scans. 

(U) 30 Assured Compliance Assessment Solution vulnerability scans. 
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(U) Table. CAT I Vulnerability Scan Results 


I 4(f). (b)(3). IOUSC !j I4(ie. (h)(7Hb'l 


(U) Note: The monthly scan results are located in Appendix C 



(U) 31 DoD Instruction 8510.01, "DoD Information Assurance Certification and Accreditation Process (DIACAP)," 
November 28, 2007. 

(U) 32 internet Protocol addresses are identifiers that are assigned to equipment connected to the network. 
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(U) 34 The authorizations to operate for 

up to three years and are applicable until recertification. 

(U) «S reports to Air Combat Command and thejj^HlS reports to Air Force Materiel Command. 


were issued under DIACAP for 
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(l»<l>. I -l<y>. in USC $ I (b)(7)(E) 


(=r 


i 



(U) 36 We used the control test table developed by DoD OIG Quantitative Methods Division and published in the Council of 
the Inspectors General on Integrity and Efficiency, "Journal of Public Inquiry," 2012-2013 when performing the 
control tests. 

( f - Q i ilO) 37 U.S. Cyber Command, Task Order 14-0185, "Insider Threat Mitigation," July 17, 2014 and Defense Information 
Systems Agency Program Executive Office - Mission Assurance Host Based Security System, "Device Control 
Module Guidance for Task Order 14-0185," October 28, 2014. 
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(U) 38 The Office of the Secretary of Defense Memorandum "Insider Treat Mitigation," July 12, 2013, was signed by the 
Department of Defense, Chief Information Officer and the Under Secretary of Defense for Intelligence; however, 
U.S. Cyber Command is required to issue additional guidance. 
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) (3). Id USC >i l.soe. (b)(7) 


during the 


1(b)(3). Ml USC' 5 I30o. (h) 
<7)(E> 


. We requested a list of users 

6-month period from August 2014 through January 2015 for each CS. 

, however, 

as a result of our audit, in May 2015,^^ CS 
identified approximately 


We compared the lists 

provided by to a list of current 


(rC'JC) As a resul t of our 
audit, in May 2015,"’ ,,7l,b ' 
identified approximately 

(h)(3). IliUSCS 1300. (b)(7)(E) 1 
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Finding A 


(b) In USr $ 130e. (h) (7)(fl) 


( ■ FQUO) users with SIPRNet access_ 

In addition, while performing other tests of controls, we identified users 

I. See Appendix D for our testing results 


(l>) U). Ill USC ! 
1311c. (b)(7)(E) 





(b)(3). IKUSCS I3ue: (b)(7)(E) 


The Commander,)_ 

| according to DoD and Air Force 

guidance. Ifj|||j|||j||^^y^y^^| cannot be developed then the Commander, 

should coordinate with base CSs and any other necessary parties to develop a 

The Commander,! 


(b)(3). I0USC § 1(b)(7)(E) 



in accordance with DoD and Air Force guidance. 


(U) 39 Chairman of the Joint Chiefs of Staff Instruction (GCSI) 6510.01F, "Information Assurance (IA) and Support to 
Computer Network Defense (CND)," February 9, 2011. 

(U) 40 Air Force Manual 33-282, "Computer Security," March 27, 2012; and Technical Manual Methods and Procedures, 
TO 00-33B-5004, "Access Control for Information Systems," December 19, 2012. 

(U) 41 Active Directory provides a method to store data and provide data to network users and administrators. 
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Finding A 



SAF/CIO A6 


should review the deficiencies identified, require a thorough review of the Air Force 
SIPRNet security safeguards performed at each command, and apply corrective actions 
as necessary. 

{U) Recommendations, Management Comments, 
and Our Response 

(U) Recommendation A.l 

We recommend that the Under Secretary of Defense for Intelligence, the 
Commander, U.S. Cyber Command, and the DoD Chief Information Officer, issue 
clarifying guidance for the Office of the Secretary of Defense Memorandum 
"Insider Threat Mitigation" to instruct Military Services and agencies on the 
proper procedures to 


(U) U.S. Cyber Command Comments 

(■ FO tJ O - ) The U.S. Cyber Command, Deputy Director, Current Operations, agreed, stating 
that the existing Defense Information Systems Agency Device Control Module guidance 
will be updated and released as of August 31, 2015. 


This will reinforce supporting documentation such as the 

SECRET 
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Finding A 

£ F0EOj) February 11, 2014, White House memorandum "Near-Term Measures to 
Reduce the Risk of High Impact Unauthorized Disclosures" and the July 2, 2014, Office of 
the Secretary of Defense memorandum "Mitigations for Insider Threat and High Impact 
Unauthorized Disclosures." 

(U) Our Response 

(U) Comments from the Deputy Director addressed all of the specifics of the 
recommendation. No further comments are required to the final report; however, we 
request a copy of the formal policies and procedures described in the management 
comments before this recommendation can be closed. 

(U) DoD Chief Information Officer Comments 

(U) We received the DoD CIO comments on the draft report too late to include them in 
the final report. Therefore, if the DoD CIO does not submit additional comments, we 
will consider those comments as the management response to the final report. 

(U) Management Comments Required 

(U) The Under Secretary of Defense for Intelligence did not provide comments to the 
draft report. Therefore, we request the Under Secretary provide comments in response 
to the final report. 

(U) Recommendation A.2 

We recommend that the Commander, Air Force Materiel Command, and the 
Commander, Air Force Reserve 

| in accordance with Defense Information Systems Agency, "Access Control in 
Support of Information Systems," Security Technical Implementation Guide, 
Version 2, Release 3, October 29, 2010. 

(U) Management Comments Required 

(U) The Commander, Air Force Materiel Command and Commander, Air Force Reserve 
Command did not provide comments to the draft report. Therefore, we request the 
Commanders provide comments in response to the final report. 

(U) Recommendation A.3 

We recommend that the Commander, U.S. Cyber Command and Director, 
Defense Information Systems Agency, coordinate to issue clarifying guidance for 

SECRET 
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Finding A 


(S3 the Task Order 14-0185, "Insider Threat Mitigation," July 17, 2014, to instruct 
DoD Components to 


(U) U.S. Cyber Command Comments 

(F0U0) The U.S. Cyber Command, Deputy Director, Current Operations, agreed, stating 
that the existing Defense Information Systems Agency Device Control Module guidance 
will be updated to 

The Defense Information Systems Agency will work in coordination with 
U.S. Cyber Command to update the guidance and notify the community when released. 


(U) Our Response 

(U) Comments from the Deputy Director addressed all of the specifics of the 
recommendation. No further comments are required to the final report; however, we 
request a copy of the formal policies and procedures described in the management 
comments before this recommendation can be closed. 


(U) Defense Information Systems Agency Comments 
(FOUO) The Defense Information Systems Agency, Executive, Infrastructure 
Development, agreed, stating that the Defense Information Systems Agency 
Infrastructure Directorate will update the Device Control Module guidance to|^^| 

The Defense Information 

Systems Agency will work in coordination with U.S. Cyber Command to update the 
guidance and notify the community when released. 

(U) Our Response 

(U) Comments from the Executive addressed all of the specifics of the recommendation. 
No further comments are required to the final report; however, we request a copy of the 
formal policies and procedures described in the management comments before this 
recommendation can be closed. 


(U) Recommendation A.4 

We recommend that the Commander, Air Force Space Command, submit 


(h)(3). 10 USC § 130c; (h)(7)(E) 


| to the Defense Information Systems Agency for 
in accordance with applicable DoD guidance, either 
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(FOUO) DoD Instruction 8510.01, "DoD Information Assurance Certification and 
Accreditation Process (DIACAP)," November 28, 2007 or DoD Instruction 8510.01, 
"Risk Management Framework (RMF) for DoD Information Technology (IT)," 
March 12, 2014. 

(U) Management Comments Required 

(U) The Commander, Air Force Space Command did not provide comments to the draft 
report. Therefore, we request the Commander provide comments in response to the 
final report. 

(U) Recommendation A.5 

(U) We recommend the Air Force Chief, Information Dominance Chief 
Information Officer: 

a. ( ' FQUQ) Review the deficiencies identified, require a thorough 
review of the Air Force Secret Internet Protocol Router Network 
security safeguards performed at each command, and apply 
corrective actions as necessary. 


(U) Air Force Information Dominance Chief Information Officer Comments 
(U) The Air Force Information Dominance Chief Information Officer, Chief, 
Cybersecurity Division, neither agreed nor disagreed, stating that SAF/CIO A6 identified 



with the Secretary of the Air Force, Inspector General (SAF/IG} to develop an 

Air Force-wide mandatory inspection item for the second quarter FY 2016. Estimated 

completion of tasks is second quarter FY 2017. 
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(U) Our Response 

Comments from the Chief partially addressed the recommendation. We request 
that the Chief provide additional comments that address all report findings, not just 
Also, provide comments that describe the implementation plan in 
response to the final report. 


b. (FOUO) Develop a plan to create a list of mission critical systems, 
update the list periodically, and provide this information to the 
appropriate communications squadron and network personnel at 
each base. 


(U) Air Force Information Dominance Chief Information Officer Comments 
(U) The Air Force Information Dominance Chief Information Officer, Chief, 
Cybersecurity Division, neither agreed nor disagreed, stating that 
DoD Instruction 8510.01 states that the DoD Component CIO (SAF/CIO A6) must make 



(h)(3). 10 USC $ 130e. (b)(7)(E) 


(U) Our Response 

(FOLIO) Comments from the Chief did not address the specifics of the recommendation. 
We agree that mission criticalityffl 

However, if the system owner considers the system mission critical, it is 

| The decision to classify a system as 

mission critical 

| In addition, the 
CSs 

j | Therefore, we request the SAF/CIO A6 provide additional comments in 
response to the final report. 
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(U) Recommendation A.6 

We recommend that the Commander, 24th Air Force, in coordination with the 
Commander, 


I 4(u).(i»(3). i hum. $ i.iue:(i»(/)(b) 


in accordance with DoD policy. 

(U) Management Comments Required 

(U) The Commander, 24th Air Force and Commander, 

| did not provide comments to the draft report. Therefore, we request the 
Commanders provide comments in response to the final report. 

(U) Recommendation A.7 

(U) We recommend that the Commander, 

in accordance with Chairman of the Joint Chiefs of Staff Instruction 
6510.OIF, "Information Assurance (IA) and Support to Computer Network 
Defense (CND),” February 9,2011 and Technical Manual Methods and 
Procedures, TO 00-33B-5004, "Access Control for Information Systems," 
December 19, 2012. 


(b)(3). 10 UM. * I .toe: (b)(7)(b) 


(U) Commander, 

(F0U0) The Director of Operations, 
Air Force Reserve Command 


Comments 

, neither agreed nor disagreed, stating that 


b)(3). UM. $ I .tile, (b)(7)(b) 
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(U) Our Response 

(U) Comments from the Director addressed all of the specifics of the recommendation. 
No further comments are required to the final report; however, we request a copy of the 
formal policies and procedures described in the management comments before this 
recommendation can be closed. 

(U) Recommendation A.8 

(U) We recommend that the Commander, 


a. Develop procedures to 


10 ) 11 ). I -Hu); (b) (j). lit use * 13()e; (b)(7)(F) 



(h)(1). 1 1(g). (h)(3). lO.USCJj I30e. (h)(7)(H) 


b. (S} Develop procedures to 

their major commands and the Air Force Chief, Information 
Dominance Chief Information Officer. 


(U) Commander ; 

The Commander, 


Comments 


, neither agreed nor disagreed, 


mill. I 4(u). (b)(3). IdUSC i) I3l)e. (b) | 
71(H) 



(U) Our Response 

& Comments from the Commander did not address the specifics of the 
recommendations. The process described 


(t»(II I -Hu). <l»(3). Ill use D I30o. (h)(7)(E) 



Therefore, we request the Commander provide comments in 
response to the final report. 
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• um_ $ Line. (i>) (/j(b) 


in accordance with 


Chairman of the Joint Chiefs of Staff Instruction 6510.OIF, 
"Information Assurance (IA) and Support to Computer Network 
Defense (CND)," February 9, 2011 and Technical Manual Methods 
and Procedures, TO 00-33B-5004, "Access Control for Information 
Systems," December 19, 2012. 


(U) Commander, 
(U) The Commander, 
now in place to 


Comments 

, neither agreed nor disagreed, stating that processes are 


DM3). Il'UM. $ I(D)(7)(b) 


. It will be the member's 
responsibility to contact their Information System Security Officer or CSA [Client 
System Administrator] to 

(U) Our Response 

[U] Comments from the Commander addressed all of the specifics of the 
recommendation. No further comments are required to the final report; however, we 
request a copy of the formal policies and procedures described in the management 
comments before this recommendation can be closed. 


(U) Recommendation A.9 

(U) We recommend that the Commander, 


a. (5} Develop procedures to 



(U) Commander, 
The Commander, 
being developed to 


Comments 


, agreed, stating that procedures are 
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(U) Our Response 

(U) Comments from the Commander addressed all of the specifics of the 
recommendation. No further comments are required to the final report; however, we 
request a copy of the formal policies and procedures described in the management 
comments before this recommendation can be closed. 


(b)(1). I-1(g). (b)(3). In USC § I3()e. (b)(7)(E) 


b. Develop procedures to| 

their major commands and the Air Force Chief, Information 
Dominance Chief Information Officer. 


to 



(U) Our Response 

(U) Comments from the Commander addressed all of the specifics of the 
recommendation. No further comments are required to the final report; however, we 
request a copy of the formal policies and procedures described in the management 
comments before this recommendation can be closed. 


c. ( ' FOUO) in accordance with 

Chairman of the Joint Chiefs of Staff Instruction 6510.01F, 
“Information Assurance (IA) and Support to Computer Network 
Defense (CND)," February 9,2011, and Technical Manual Methods 
and Procedures, TO 00-33B-5004, "Access Control for Information 
Systems," December 19, 2012. 


(U) Commander, 
^ The Commander, 
been implemented. 



Comments 

, agreed, stating that the process has 


(U) Our Response 

Comments from the Commander addressed all of the specifics of the 
recommendation. No further comments are required to the final report. 
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(U) Recommendation A.10 

(U) We recommend the Commander, 


a. Develop procedures to 



d. ( T - QUO) Develop and implement 


according to the Chairman 
of the Joint Chiefs of Staff Instruction 6510.01F, "Information 
Assurance (IA) and Support to Computer Network Defense (CND)," 
February 9, 2011, and Air Force Manual 33-282, "Computer 
Security," March 27, 2012, and if||||||||j|j^^^^^^^ cannot be 
developed, then coordinate with base communications squadrons 
and any other necessary parties to develop a 




(U) Management Comments Required 

(U) The Commander, did not provide comments to 

the draft report. Therefore, we request the Commander provide comments in response 
to the final report. 
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(U) Finding B 



(U) 42 National Security Telecommunications and Information Systems Security Instruction 7003, "Protected Distribution 
Systems," December 13,1996 and Air Force System Security Instruction 7703, "Communications Security: Protected 
Distribution Systems," August 26, 2008. 
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(U) 43 A PDS is used to transmit unencrypted classified information through an area of lesser classification. 

(U) 44 National Security Telecommunications and Information Systems Security Instruction 7003, "Protected Distribution 
Systems," December 13, 1996. 

(U) 45 Air Force System Security Instruction 7703, "Communications Security: Protected Distribution Systems," 

August 26, 2008. 
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. In addition, the Commander,|§| should immediately 



(u) 
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requires each user who requests SIPRNet access to complete: 


(U) 47 Enterprise Network Data Repository 
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• ( FdHJO) DD Form 2875, "System Authorization Access Request (SAAR)" in 
accordance with Air Force Manual 33-152, "User Responsibilities and 
Guidance for Information Systems," June 1, 2012. This form documents 
supervisor, security manager, and IAO approval for system access and need 
to know; 

• (FQUO) DD Form 2842, "Department of Defense Public Key 
Infrastructure (PKI) Certificate of Acceptance and Acknowledgement 
of Responsibilities," August 2009. This form is used to acknowledge 
the users responsibility to safeguard the token and the registration 
official verifies the identity of the individual; 

• (rOUO) SF 312, "Nondisclosure Agreement" in accordance with 

Air Force Instruction 31-501, "Personnel Security Program Management," 
January 27, 2005. Users complete this form to accept the obligation to 
protect classified information; and 

• (rOUO) Air Force (AF) Form 4394, "Air Force User Agreement 
Statement-Notice and Consent Provision" in accordance with Air Force 
Manual 33-152, "User Responsibilities and Guidance for Information 
Systems," June 1, 2012. This form identifies rules of system use and user 
consent to monitoring. 


(FQUO) The CSs did not verify completion of required forms to gain SIPRNet access. 

To determine if the forms required to gain access to SIPRNet were correctly completed, 
we performed control tests for the DD Forms 2875, DD Forms 2842, SF 312, 
and AF Forms 4394 for 45 personnel and 

for 39 personnel atj 


_|. We identified errors in the forms and, therefore, 

the control test failed. The Table below identifies the number of forms provided by 
the respective CS and outlines the results of our analysis. 
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(U) Table. Forms Required for SIPRNet Access 


(rCL'C) DD Form 2875 DD Form 2842 SF 312 AF Form 4394 


(l»(7KE) 


Received (out of 45) 

20 

34 

Completed Correctly 

11 

25 

Completed Incorrectly 

9 

9 

Forms Not Received 

25 

11 


)li) (7)(E| 

1 

Received (out of 45) 

22 

44 

Completed Correctly 

16 

44 

Completed Incorrectly 

6 

0 

Forms Not Received 

23 

1 

(Wxn 

Received (out of 39) 

36 

28 

Completed Correctly 

5 

28 

Completed Incorrectly 

31 

0 

Forms Not Received 

3 

11 


(U) Note: See Appendix F for more detail. (rOUO) 

(FOUO) This occurred because the CSs did not establish policies and procedures to 
verify that all IAOs completed and approved forms required for network access before 
they provided users with SIPRNet access. 

The Commander^J|^^^^^|m^^|; the Commander,and the 
Commander,should develop procedures to verify that access forms are 
accurately completed before access to the SIPRNet is granted. 


(rOUO) Air Force Did Not Conduct NATO Briefings 

( ■ flQNO) Security did 

not conduct NATO briefings for all personnel with SIPRNet access. The security 
manager at^^^^J stated that they provided the NATO briefing within a Security 
Administration briefing; however there was not written acknowledgement of the 
briefings as required by Air Force guidance. The security managers at||||m 

| stated that they only provided the briefings when access 
to NATO information was necessary. However, NATO information is not segmented on 
SIPRNet andjym 
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(FOUO) 

According to DoD 48 

and Air Force Guidance, 49 all cleared military, civilian, and contractor personnel should 
receive a NATO security briefing and a written acknowledgement of the NATO training 
will be maintained. 


fr PQNQ - j This occurred because the^m^f security personnel were not sure what "all 
cleared personnel" meant. Additionally, security personnel at^^^|^| thought a 
read receipt would satisfy the requirement for written acknowledgement. Finally, 
security personnel were not aware of the requirement to 

have all personnel take the NATO briefing. The requirement for NATO briefings is 

important due to the ongoing missions and operations 
of the Air Force. Since NATO briefings were not 
conducted, individuals were not aware of the 
appropriate method to secure and protect NATO 
information. The Administrative Assistant to the 
Secretary of the Air Force, should develop an action 
plan to ensure Air Force commands conduct the NATO briefings for all personnel as 
required by DoD Manual 5200.01, volume 1, "DoD Information Security Program: 
Overview, Classification, and Declassification," February 24, 2012, and develop a 
mechanism to identify and track personnel who receive the training. 


uuu) Since NA TO 
briefings were not 
conducted, individuals 
were not aware of the 
appropriate method to 
secure and protect 
NATO information. 


(U) 48 DoD Manual 5200.01, volume 1, "DoD Information Security Program: Overview, Classification, and Declassification," 
February 24, 2012. 

(U) 49 Air Force Instruction 31-401, "Information Security Program Management," Change 1, August 19, 2009 was in effect 
when we began the audit. However, during the audit it was superseded by Air Force Instruction 16-1404, "Air Force 
Information Security Program," May 29, 2015. 
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(roue) The physical 
safeguar ds for the Air Force 

,RNet ,l ” (i| |IS( * 1 < l,|| 7i<n I 


(EOUQ) DoD must defend its information and must do 
more to secure its cyber infrastructure. The physical 
safeguards for the Air Force SIPRNetKlfflf^J 



(U) Recommendation B.l 

( F9WQ) The Administrative Assistant to the Secretaiy of the Air Force, should 
develop an action plan to ensure Air Force commands conduct the North Atlantic 
Treaty Organization briefings for all personnel as required by DoD Manual 
5200.01, volume 1, "DoD Information Security Program: Overview, Classification, 
and Declassification," February 24, 2012, and develop a mechanism to identify 
and track personnel who receive the training. 

(U) Administrative Assistant to the Secretary of the Air Force Comments 
(U] We received the Administrative Assistant to the Secretary of the Air Force 
comments on the draft report too late to include them in the final report. Therefore, if 
the Administrative Assistant to the Secretary of the Air Force does not submit additional 
comments, we will consider those comments as the management response to the 
final report. 
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(U) Recommendation B.2 


£E OUO) We recommend that the Air Force Chief, Information Dominance Chief 



(U) Air Force Chief Information Dominance Chief Information 
Officer Comments 

flFQUO) The Air Force Information Dominance Chief Information Officer, Chief, 
Cybersecurity Division, neither agreed nor disagreed, stating that there is a policy in 
place and units were notified on July 6, 2010. The policy is the Methods and Procedures 
Technical Manual 00-33d-2001, "Active Directory Naming Conventions," May 8, 2009. 
The Manual provides instructions for entry into Active Directory with standard naming 
convention to include physical location and designated system administrator. The 
SAF/CIO A6 recommends CS reference equipment location in Active Directory and 
ensure adherence to the Active Directory Naming Conventions. In addition, Air Force 
Manual 33-153, "Information Technology Management," provides guidance to manage 
Air Force equipment. 


(U] Our Response 

£FOUO] Comments from the Chief did not address the specifics of the recommendation. 
The Air Force Manual and Methods and Procedures Technical Manual described do not 
require! 


(b)(3). IOUSC § 130c. (h)(7)(b) 


|. Therefore, we request the SAF/CIO A6 provide 
comments in response to the final report. 

(U) Recommendation B.3 

fl F Q FFO j We recommend that the Commander, develop 

procedures to verify that access forms are accurately completed before access is 
granted to the Secret Internet Protocol Router Network. 
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(U) CommaComments 

(U) The Director of Operations,mUl CS, neither agreed nor disagreed, stating that the 
mHH CS has implemented a process to ensure completion and standardization of the 
DD Form 2875. This process involves the participation of the requestor's supervisor, 
unit security manager, and unit IAO. A form submitted will be reviewed for accuracy by 
the Information Assurance Manager, Local Registration Authority, and SIPRNet Client 
Service Technician. The DD Form 2875 will be returned to the unit IAO if received 
incomplete. The requestor will provide copies of their derivative training and Cyber 
Awareness training certificates. 

(U) Our Response 

[U) Comments from the Director addressed all of the specifics of the recommendation. 
No further comments are required to the final report; however, we request a copy of the 
formal policies and procedures described in the management comments before this 
recommendation can be closed. 


(U) Recommendation BA 

(U) We recommend that the Commander, 


a. (FOUO) Develop and implement a plan to 


ioum. s l.we. ibM/lit) 


b. (FOUO) Immediately 


in uhi $ iJoe:(bM/i(hi 



c. jj j as required, by 

Air Force System Security Instruction 7703, "Communications 
Security: Protected Distribution Systems," August 26, 2008. 


(U) Commander . | | Comments 

(U) The Commander,HHH CS, neither agreed nor disagreed,] 
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(U) Our Response 

(U) Comments from the Commander addressed all of the specifics of the 
recommendation. No further comments are required to the final report. 

d. (FQUO) Develop procedures to verify that access forms are 
accurately completed before access is granted to the Secret 
Internet Protocol Router Network. 

(U) Commander, Comments 

(TOUO) The Commander,j|j|m CS, neither agreed nor disagreed, stating that processes 
are currently in place to ensure that all documents are properly filled out before 
submitting a SIPRNet account request by the unit Information Systems Security Officer. 
This has been briefed to squadron, group, and wing commanders. 

(U) Our Response 

(U) Comments from the Commander did not address the specifics of the 
recommendation. The process described was not effective as discussed in the report. 

could not provide 75 access forms and users did not properly 
complete 18 access forms. Therefore, we request the Commander provide comments in 
response to the final report. 

(U) Recommendation B.5 

(TOUO) We recommend that the Commander, develop 

procedures to verify that access forms are accurately completed before access is 
granted to the Secret Internet Protocol Router Network. 

(U) Commander,Comments 

The Commander,Mission Support Group, agreed, stating that 
follows Air Force Network procedures for account creation and paperwork in 
accordance with Air Force Manual 33-282. The Unit CSL maintains and provides the CS 
a copy of the DD Form 2875 to review for proper signatures before accounts are 
created. The regulation requires the unit CSL to maintain the original paperwork. 
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(U) Our Response 

(U) Comments from the Commander did not address the specifics of the 
recommendation. The process described was not effective as discussed in the report. 

could not provide 53 access forms and users did not properly complete 
6 access forms. Therefore, we request the Commander provide comments in response 
to the final report. 


(I»J <7HH) 
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(II) Appendix A 


(U) We conducted this performance audit from October 2014 through July 2015 in 
accordance with generally accepted government auditing standards. Those standards 
require that we plan and perform the audit to obtain sufficient, appropriate evidence to 
provide a reasonable basis for our findings and conclusions based on our audit 
objectives. We believe that the evidence obtained provides a reasonable basis for our 
findings and conclusions based on our audit objectives. 


(U) We performed the audit to determine whether the Air Force effectively protected 
SIPRNet access points. We focused our review on the Air Force SIPRNet managed by 
We nonstatistically selected a sample of three Air Force bases (j|jj|||H 

) to determine whether Air Force commands 
properly implemented logical and physical controls to protect SIPRNet access points. 
The commands chosen represented SIPRNet use that varied among active military and 
reserves. We reviewed physical and logical security safeguards at each base and logical 
controls and|jj|^^|. In addition, we reviewed the certification and 

accreditation packages for each base. 


(U) During our review, we interviewed DoD and Air Force component personnel. We 
interviewed personnel at: 

• (U) U.S. Cyber Command to discuss 


(U) SAF/CIO A6 to discuss SIPRNet 


to obtain, review, and analyze 


louse?} LWe. (b)(7)(E) 
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o (U) obtained, reviewed, and analyzed network access and write 
privilege processes; 

o (U] obtained, reviewed, and analyzed vulnerability management, 
user authentication, account monitoring, asset management, and 
personnel access policies and procedures; and 

o (U) observed physical security for SIPRNet access points. 

(U) In addition, we performed control tests for: 

• (U) write privileges; 

• (U) background checks; and 

• (U) DD Forms 2875, DD Forms 2842, SF 312, and AF Forms 4394. 

(U) We selected a random 50 sample of: 


(U) 45 accounts from a universe 0 fj|j|||| SIPRNet accounts atj 


• (U) 45 accounts from a universe of^|y SIPRNet accounts at 

• (U) 39 accounts from a universe offS9 SIPRNet accounts at 



; and 


(UJ These decision rules applied for our control tests: if there were no errors in the 
sample, then the control passed, and if there were one or more errors, then the control 
failed. We used the control test table developed by Quantitative Methods Division at the 
DoD OIG and published in the Council of the Inspectors General on Integrity and 
Efficiency, "Journal of Public Inquiry," 2012-2013. 



(U) 50 We selected a nonstatistical sample of user accounts. We randomized the universe to reduce bias during the sample 
selection. 
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(UJ To determine whether the DD Forms 2875 were appropriately completed and 
approved, we verified if the: 


• (U) user, information assurance officer, and security manager signed 
the form; 

• (U] 1A training was completed within a year of the information assurance 
manger's signature; and 

• (U) boxes were checked to annotate the user had a need to know and access 
to classified information. 

(U) To determine whether DD Forms 2842 were appropriately completed and 
approved, we verified that the user and registration official signed and dated the form. 
Finally, to determine whether the AF Forms 4394 were appropriately completed, we 
verified that the user signed and dated the forms. 


b) (3). 10 USC § !3Ue: (b) (7)(H) 


I; we 


(U) In addition, to determine whetherj 

requested a list of users |||||||||^|j|||||| during the 6-month period from August 2014 
January to 

compare to a list of current SIPRNet users. 



(FOUO) We obtained and analyzed certification and accreditation packages from 
Enterprise Mission Assurance Support Service. We used the packages to determine 
whether the SIPRNet accreditation at the Air Force bases was appropriate. To assess 
the reliability of the Enterprise Mission Assurance Support Service accreditation data, 
we compared the data to controls in operation. In addition, we interviewed Air Force 
and Defense Information Systems Agency personnel on the data accuracy. 

as discussed in Finding A. 


(b)(3), 1(1 USC § I30e: (b)(7)(E) 
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») (.'). L'M. $ line: Io) C /) 

V.) 


(■ F 9 B - 6 ; ) We obtained and analyzed Assured Compliance Assessment Solution 
vulnerability scans from^^^^. We used the data to determine if 

. Assured Compliance Assessment Solution is a DoD tool managed 
by Defense Information Systems Agency. 

We interviewed the SAF/CIO A6, 
identified in the vulnerability 
scans. We determined that these documents were sufficiently reliable for the purpose 
of this report. 


(I») (-1). MM St. $ UWc: (I'M /)(f) 


( ■ FQUO) 


(I'M-'). MM'SC I .We; (!') ( /)(1 1 



, as discussed in Finding B. 


( ■ FOfeJOj 


(l>) (.)). louse « I tdc. (b)(7)(E) 


as discussed in Finding A. 

(rQUO) We obtained and analyzed data from the Joint Personnel Adjudication System. 
The data was used to determine if personnel received background checks and signed 
nondisclosure agreements. Joint Personnel Adjudication System is the official 
repository of security information for DoD and the Defense Manpower Data Center 
manages the system. We interviewed security managers about the data stored in the 
Joint Personnel Adjudication System and observed them query the data. We 
determined that this data were sufficiently reliable for the purpose of this report. 
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(U) We obtained support from the DoD OIG Quantitative Methods Division to develop a 
random sample for review. We obtained support from the DoD OIG Technical 
Assessment Directorate to define SIPRNet access points. 


(U) During the last 5 years, the Air Force Audit Agency issued one report discussing 
controlled access to universal serial bus ports and compact disk drives and mitigation of 
identified vulnerabilities. 

(U) Air Force Audit Agency 

F2015-0002-030000, "Classified Information Systems Protection - Secret Internet 
Protocol Router Network," February 10, 2015. 
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(U) Appendix B 


(U) The DIACAP establishes a process to certify and accredit DoD information systems 
based on the implementation of IA controls. DIACAP applies to all DoD-owned and 
controlled information systems and consists of five activities: 

(U) Activity 1: Initiate Certification and Accreditation. Register the system with the 
appropriate DoD Component, assign IA controls to the information system, and initiate 
the DIACAP Implementation Plan. Each assigned control is implemented according to 
the applicable implementation guidelines provided in the DIACAP. 

(U) Activity 2: Implement and Validate IA Controls. Executes the DIACAP 
Implementation Plan, conducts validation activities, prepares the IT Security POA&M, 
and compiles validation results in the DIACAP Scorecard. The status of each assigned 
IA control is indicated on the DIACAP Scorecard as compliant, noncompliant, or 
not applicable. 

[U) Activity 3: Make Certification Determination and Accreditation Decision. 
Determines whether to certify and accredit a DoD information system. Each 
information system has a certifying authority, who bases the certification decision on 
IA validation results, and a designated accrediting authority, who bases the 
accreditation decision on a balance of mission or business need and protection of the 
information being processed. 

(U] Activity 4: Maintain Authorization. Sustains acceptable IA posture. The IA controls 
should be reviewed annually to confirm the effectiveness of the assigned IA controls or 
to recommend changes to the accreditation status. A designated accrediting authority 
may downgrade or revoke an accreditation decision at any time if risk conditions or 
concerns develop from the reviews. The results of an annual review or a major change 
in information assurance posture at any time may indicate the need for recertification 
and reaccreditation. 

(U) Activity 5: Decommissioning. Removes DoD information system from operation. 
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(II) Appendix C 



(PGGG) Table. 


1(h)(1). Ml CSC $ IJ*Oe. (I>) (7)(t) 


(S) Location November December January February March 
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(U) Appendix D 

(U) Test Results for 


from August 2014 through 
, to a list of 


(FOUO) We compared lists of personnel 
January 2015 provided by 
SIPRNet users 

I In addition, while performing other control tests, we identified user 


lllni'l. HU M ij | (IO (7)(I I 


[FOUO) 

; therefore, we did not perform a 
control test form||j||^H||^|jj||j^^^^^^^^^| However, while performing other 
control tests, we identified 
The Table below identifies the sites tested and identifies the results of the analysis 
including the number of 


(U) Table. 


Sites Tested 


Discovered During Testing 


(b)(1). HU S( * I MK\ (h)(7)(F) 


11" ( 7 1( 1 1 


Not Provided 




Ol » >) |M l M s' 1 w«C. (HI I / Ml » 
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(II) Appendix E 


fl POUO) We requested mm certification letters and PDS technical inspections. 

We received and reviewed cer Efication letters and|jjjmi| technical inspection 
documents. Our analysis of |m ii B Bl identified: 



(■E0UQ) 

(b)(3). II) USCS 131)0. (b)(7)(E) 


(FOUO) 



(rouo) 



(■FOUO) 



(FOUO) 



(U) Our analysis of the 


that had evidence of a technical inspection identified: 


• (rouo) 

• (FOUO) 

• (rouo) 

• (FOUO) 


|(i>)(’(. loi'sc 5 liiie.(ii)(7iin 
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(U) Appendix F 

(U) Control Test Results for Forms Required for 
System Access 

(U) DD Form 2875 

(FOUO) we received and reviewed 20 of the 45 requested 

DD Forms 2875. Of the 20 forms reviewed, 9 were not completed correctly including 
some with multiple discrepancies. Specifically, 

• (FOUO) 2 were signed and approved after we requested them from 

|HH CS; 

• (FOUO) 3 personnel did not meet the annual requirement for IA training 
before signing the form; 

• (FOUO) 1 was not signed and approved by the IAO; and 

• (FOUO) 5 did not have properly filled out access and need to know 
requirements; specifically, 2 of the 5 did not indicate the user had a 
"need to know" and 3 of the 5 did not indicate the user needed access to 
classified information. 

could not provide 25 of the 45 DD Forms 2875. 

(U) DD Form 2842 

( fi Q' UO) We received and reviewed 34 of the 45 requested DD Forms 2842. Of the 
34 forms reviewed, 9 did not have the required user or IAO signatures, 

| could not provide 11 of the 45 DD Forms 2842. 

(U)SFForm 312 

We received and reviewed 36 of the 45 requested SF Forms 312 and all were 
completed correctly. did not provide 8 of the 

45 SF Forms 312 because Chief, Information Protection, stated 

that the eight individuals had left^m^^^^^l^m. They could not provide 1 of 
the 45 SF Forms 312, 
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(U) AF Form 4394 

(FOUO) We received and reviewed 15 of the 45 requested AF Forms 4394 and all 
were completed correctly. could not provide 30 of the 

45 AF Forms 4394. 

(U) DD Form 2875 

(FOUO) AtyyiH, we received and reviewed 22 of the 45 requested DD Forms 2875. 
Of the 22 forms reviewed, 6 were not completed correctly including some forms with 
multiple discrepancies. Specifically, 

• (E Q ' feJO) 2 were not signed by the information owner or IAO; 

• (FOUO) 2 were not signed by the security manager; and 

• (FOUO) 5 did not indicate that the user had a need to know. 

£FOUO) did not provide 23 of the 45 DD Forms 2875 for various reasons such 

as users had left the base, confusion in the process for granting access, or an error 
in processing. 

(U) DD Form 2842 

(FOUO) We received and reviewed 44 of the 45 requested DD Forms 2842 and all were 
completed correctly. did not provide 1 of the 45 DD Forms 2842 because the 

created an account for a user that never came to complete the DD Form 2842 
before leaving^^^^J. 

(U)SFForm 312 

(FOUO) We received and reviewed 41 of the 45 requested SF Forms 312 and all were 
completed correctly. was unable to provide SF 312s for 4 of the 45 users. 

(U)AFForm 4394 

(■F O UQ) We received and reviewed 20 of the 45 requested AF Forms 4394 and all were 
completed correctly. did not provide 25 of the 45 AF Forms 4394 for various 

reasons such as users had left the base, confusion in the process for granting access, or 
an error in processing. 
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(U) 

(U) DD Form 2875 

( ■ FOUO) AtHi, we received and reviewed 36 of the 39 requested 
DD Forms 2875. did not provide 3 of the 39 DD Forms 2875 because the 

Information Assurance Manager stated that until December 2014, j_ 

did not have an established Information Assurance Officer program to ensure 
completion of the DD Forms 2875. Of the 36 DD forms reviewed, 31 were not 
completed correctly including some forms with multiple discrepancies. 


• (FOUO) 1 did not have the Security Manager's approval of 
security clearance; 

• ( FOUO) 2 did not have correct IA training documented; specifically, one 
person did not have IA training noted on the form and one person did not 
have IA training before signing the form and gaining access to the SIPRNet; 

• (FOUO) 30 were not signed and approved by the IAO; and 

• (FOUO) 12 did not have properly filled out access and need to know 
requirements. Specifically, of the 12: 

o (FOUO) 2 did not have "need to know" or access to classified 
information checked on the form, 

o (FOUO) 4 did not have "need to know" checked on the form, and 

o ( - FEU®) 6 did not have access to classified information checked on 
the form. 


(U) DD Form 2842 

(FOUO) We received and reviewed 37 of the 39 requested DD Forms 2842 and all were 


completed correctly. 


did not provide 2 of the 39 DD Forms 2842 because 


Information Assurance Manager stated that they misplaced the forms. 


(U)SFForm 312 

(FOUO) We received and reviewed 37 of the 39 requested SF Forms 312 and all were 


completed correctly. 

(h)(7)(E) 

did not provide 2 of the 39 SF Forms 312 because the 

lb) (7)|C> 

Chief, Information Protection, stated that the two individuals had 


||b)(7)(E) 
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(U) AF Form 4394 

(TOUO) We received and reviewed 38 of the 39 requested AF Forms 4394 and one was 
not completed correctly. did no t provide 1 of the 39 AF Forms 4394 

because thejmmU Information Assurance Manager stated that until December 2014, 
did not have an established Information Assurance Officer program to 
ensure completion of the AF Forms 4394. 
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(U) Appendix G 


(U) We used the following guidance throughout the audit. 

(U) National Security Telecommunications and Information 
Systems Security Committee 

(U) National Security Telecommunications and Information Systems Security 
Instruction 7003, "Protected Distribution Systems," December 13,1996, outlines 
the approval authority, standards, and guidance for PDS design, installation, 
and maintenance. 

(U) Chairman of the Joint Chiefs of Staff 

(U) Chairman of the Joint Chiefs of Staff Instruction 6510.01F, "Information 
Assurance (IA) and Support to Computer Network Defense (CND)," February 9, 2011, 
provides joint policy and responsibilities for IA and support to computer 
network defense. 

(U) DoD 

(U) DoD Instruction 8510.01, "Risk Management Framework (RMF) for DoD 
Information Technology (IT)," March 12, 2014, provides procedural guidance for the 
reciprocal acceptance of authorization decisions and artifacts within DoD, and between 
DoD and other Federal agencies, for the authorization and connection of 
information systems. 

(U) DoD Instruction 8510.01, "DoD Information Assurance Certification and 
Accreditation Process (DIACAP)," November 28, 2007, establishes a certification and 
accreditation process to manage the implementation of IA capabilities and services 
and provide visibility of accreditation decisions regarding the operation of 
DoD information systems. 

(U) DoD Manual 5200.01, volume 1, "DoD Information Security Program: Overview, 
Classification, and Declassification," February 24, 2012, implements policy, assign 
responsibilities, and provide procedures for the designation, marking, protection, and 
dissemination of controlled unclassified information and classified information. 
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(UJ Office of the Secretary of Defense Memorandum "Insider Treat Mitigation," 

July 12, 2013, provides procedures for information protection and insider threat 
mitigation to all DoD Components. 

(U) U.S. Cyber Command 

ffiQUO) U.S. Cyber Command Task Order 14 0185, "Insider Threat Mitigation," 

July 17, 2014, implements a number of technical and procedural safeguards to mitigate 
vulnerabilities exploitable by a determined insider threat. 

(U) Air Force 

(U) Air Force Instruction 16-1404, "Air Force Information Security Program," 

May 29, 2015, supersedes Air Force Instruction 31-401 and explains how to manage 
and protect unclassified controlled information and classified information. 

(U) Air Force Instruction 31-401, "Information Security Program Management," 

Change 1, August 19, 2009, explains how to manage and protect unclassified controlled 
information and classified information. 

(U) Air Force Instruction 31-501, "Personnel Security Program Management," dated 
January 27, 2005, provides guidance for personnel security investigations and 
clearance needs. 

(U) Air Force Manual 33-152, "User Responsibilities and Guidance for Information 
Systems," dated June 1, 2012, identifies policies and procedures for the use of 
cyberspace support systems and services and compliance requirements. 

(U) Air Force Manual 33-282, "Computer Security," March 27, 2012, implements 
computer security, which is designed to ensure the employment of countermeasures to 
protect and secure US government information processed by Air Force information 
systems by protecting the confidentiality, integrity, availability, authentication, and 
non-repudiation of information systems. 

(U) Air Force System Security Instruction 7703, "Communications Security: Protected 
Distribution Systems," August 26, 2008, provides the minimum protection standards 
based on national guidance for PDS to ensure the PDS provides adequate electrical, 
electromagnetic, physical, and procedural safeguards. 
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(U) Defense Information Systems Agency 

(U) Defense Information Systems Agency "Enclave" Security Technical Implementation 
Guide, Version 4, Release 4, January 9, 2014, provides assistance in meeting the 
minimum requirements, standards, controls, and options for securing an enclave as a 
whole and providing the technical guidance to secure specific enclave components 
in detail. 

(U) Defense Information Systems Agency, "Access Control in Support of Information 
Systems," Security Technical Implementation Guide, Version 2, Release 3, 

October 29, 2010, provides details for security framework for use when planning and 
selecting access control for protecting sensitive and classified information in DoD. 

It provides background and context for access control issues including the process of 
identification, authentication, and authorization for access to protected assets. 

(U) Defense Information Systems Agency, Program Executive Office - Mission 
Assurance, Host Based Security System, "Device Control Module Guidance for 
Task Order 14-0185," October 28, 2014, provides directorate level instructions for 
restricting the use of removable media on systems across the DoD. 
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(U) Management Comments 


ijnci Assii-n-:i)//few« 



DEPARTMENT OF DEFENSE 
UNITED STATES CYBER COMMAND 

9800 SAVAGE ROAD. SUITE 6477 
FORT GEORGE G. MEADE, MARYLAND 20755 


Reply to: 

Deputy Director, Current Operations 


MEMORANDUM FOR JOINT STAFF, J6 

Subject: DODIG Draft Report: Air Force Commands Need To Improve Logical And Physical 
Security Safeguards That Protect Sipmet Access Points. WMS Task #19609. 

References: (a) (U) DODIG Draft Report: Air Force Commands Need To Improve Logical And 
Physical Security Safeguards That Protect SIPRNet Access Points. Lasker 15- 
02944 

(b) (U//P©y©) USCYBERCOM TASKORD 14-0185 Insider Threat Mitigations, 

17 July 2014. 


1. (U//I OUO) The DODIG Recommendation A.l.: We recommend that the Under Secretary of 
Defense for Intelligence, the Commander, U.S. Cyber Command, and the DoD Chief 
Information Officer, issue clarifying guidance for the Office of the Secretary of Defense 
Memorandum "Insider Threat Mitigation” to instruct Military Services and agencies on the 
proper procedures to I 


(b)(3). In USC § 13oe: (b)(7)(E) 


(U// FOUO) AGREE. The existing Defense Information Systems Agency Device Control 
Module (DCM) guidance re fe rcnccd in naraaraph 3. B. I J^ofUSCYBERC O M TASKORD 14- 
0185 details the procedures tot he updated D1SA 
DC^l5)M[^UjttB 

■ Tlu^vnuemtom^h^upportm^ocumentatiori 
referenced in TASKORD 14-0185. Specifically, the 11 February 2014 White House 
memorandum, "Near-Term Measures lo Reduce the Risk of High Impact Unauthorized 
Disclosures " (Reference K) and the 02 July 2014 Office of the Secretary of Defense 
memorandum, "Mitigations for Insider Threat and High Impact Unauthorized Disclosures 
(Reference L) detail the operating environment the tasks are to be implemented. 


2. (U/ /FQUO) The DODIG Recommendation A.3.: We recommend that the Commander, U.S. 
Cyber Command and Director, Defense Information Systems Agency, coordinate to issue 
clarifying guidance for the Order 14-0185, “Insider Threat Mitigation.” July 17.2014. 
instruct DoD Components 
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UNCLASSIFILiDWWWt* 

(U//P0W®) AGREE. The Defense Information Sy stems Agency will be updating the Of'M 
guidance 

will work in coordination with U. S. Cyber Command’s J38 to update the guidance and notify 
the community once it is developed and released. 
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DEFENSE INFORMATION SYSTEMS AGENCY 

P O BOX 549 

FORT MEADE, MD 207554)549 


MEMORANDUM FOR DEPARTMENT OF DEFENSE INSPECTOR GENERAL 

SUBJECT: DoD Inspector General Draft Report Dated July 10,2015 (Project No. D2015- 
D0OORC-OO33.000) 

Reference: (U) DODIG DRAFT REPORT: AIR FORCE COMMANDS NEED TO IMPROVE 
LOGICAL AND PHYSICAL SECURITY SAFEGUARDS THAT PROTECT SIPRNET 
ACCESS POINTS 


The Defense Information Systems Agency (DISA) has reviewed the subject draft report 
and provides the following comment to the DODIG recommendation A.3. DISA has no other 
comments on the draft report. 

DODIG RECOMMENDATION A3: (U /FOUQ) : "We recommend that the Commander, 
U.S. Cyber Command and Director, Defense Information Systems Agency, coordinate to issue 
clarifying guidance for the T ask Order 14-0185. "Insider Threat Mitigation ” Ju ly 17,2014, to 
instruct DoD Components to 


DISA RESPONSE: DISA agrees with this recommendation. The DISA Ip/rflf/lPTfryL 
I Module (DCM) guidance to include 
DISA will work in coordination with the U.S. Cyber 
at^n^uidance and notify the community once it is developed and 

released. 


to kh 


JOHN W. WILMER 
Infrastructure Development 
Executive 
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Dominance 



CLASSIFICATION: UNCLASSIFIED 
DEPARTMENT OF THE AIR FORCE 

HEADQUARTERS UNITED STATES AIR FORCE 
WASHINGTON, DC 


MEMORANDUM FOR DEPARTMENT OF DEFENSE INSPECTOR GENERAL 
PRINCIPAL ASSISTANT INSPECTOR GENERAL FOR 
AUDITING 

FROM: SAP/CIO A6S 

1800 Air Force Pentagon, Rm ID857 
Washington, DC 20330-1800 

SUBJECT: Department of Defense Inspector General (DoDIG) Draft Report, Audit: "Security 
Controls Over Air Force’s Secret Internet Protocol Router Network Access Points” 

L The following arc the SAF/CIO A6SC comments on the recommendations outlined in the 
DoDIG Draft Report, Project No. D2015-D000RC-GO33.OOO. 

2. Comments: 


(U) Recommendation A.5.a/A.10.a: The Air Force Audit Agency’s Report of Audit 
F2015-0002-03000, Classified Information System Protection-Secret Internet 
Protocol Router Network, 3 Feb 15. identified [ 




_| Additionally, SAF/CIO A6 is working with SAF/IG to 

develop a Special Interest Item projected for FY 2016, Qtr 2, as an Air Force-wide 
mandatory inspection item. ECD: F'Y 2017 Qtr 2 



CLASSIFICATION: UNCLASSIFIED 
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CLASSIFICATION: UNCLASSIFIED 


c. (IJ) Recommendation li.2: There is policy in place uiul units were notified 6 Jul 
2010 through AFNetOps Order 2010-181-004. Instructions arc provided in MPTO 
00-33d-2001, Active Directory Naming Convention, providing instructions for entry 
into Active Directory with standard naming convention to include physical location 
and designated system administrator. Recommend Communication Squadron 
reference equipment location in Active Directory and ensure adherence to MPTO 00- 
33d-2001. In addition, APMAN 33-153, Information Technology Management, 
provides guidance for managing AF equipment. 



CLASSIFICATION: UNCLASSIFIED 
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UNCLASSIFIED 

DKI’AKTMKNT OF I III. AIR FORCIi 

Mil HIM l. HIM lt\ I. ( OM.M WII 

28 July 2015 

MHMORANDIJM IOR 1)01) ICi 

SUBJECT: Inspector General Project No. D2()I5-D000RC-0033.0(M) 

I. I'hc following is the j|£j|^ommunicalions Squadron initial response to the 

recommendations requiring comment on the L)OD IG (draft) project number D20I5- 
. I)0()()RC-0033.000: 




3. (I I) Recommendation U.3: I hejffl||('S has pul into elTect a process to ensure the 
completion and standardization of the SII’RNel System Authorization Access Request 
(SAAR). 1)1) form 2875. this process involves the participation of the requestor’s 
supervisor, unit security manager, and unit I AO. A form submitted will he reviewed for 
accuracy by the 1AM, LRA, or’SIPRNcl CST. The 1)1) form 2875 will be returned to the 
unit IAO if received incomplete. The requestor will provide copies of their derivative 
training, and Cyber-Awareness training certificates. Request this item be closed. 
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CLASSIFICATION: 



CLASSIFICATION: SECRET 

THIS PAGE IS UNCLASSIFIED WHEN 
ATTACHMENTS ARE REMOVED 


MEMORANDUM FOR DOI) IG 


|(l>) <7IIE) 

||L1(7I(L) 




2 Attachments 

I. DOI) ICi Draft Report, Air Force SIPRNcl Audit 


(5) Air Force 
SIPRNet Draft Report 


RESPONSE TO DOD IG 


THIS PAGE IS UNCLASSIFIED WHEN 
ATTACHMENTS ARE REMOVED 

CLASSIFICATION: S C C RET 
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(rOUO) This occurred because 
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DEPARTMEN 


5 AUG 


MEMORANDUM FOR DEPARTMENT OF DEFENSE INSPECT OR GENERAL 
PRINCIPAL ASSISTANT INSPECTOR GENERAL FOR 
AUDITING 


SUBJECT: Department of Defense Inspector General Draft Report. Audit: “Security Controls 
Over Air Force’s Secret Internet Protocol Router Network Access Points” 

1. Thank you lor the opportunity to rev iew and comment on the Department of Defense Draft 
Report, Project No. D2015-DOOORC-0033.000), “Audit: Security Controls Over Air Force’s 
Secret Internet Protocol Router Network Access Points," dated July 10, 2015. 

2. My specific comments to the recommendations arc attached for your consideration to 
incorporate in the final report. Overall, I concur with the draft Report's findings. 




Attachment: 

Department of Defense Inspector General Draft Report, dated 10 July 2015 


.'S Comments 
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DEPARTMENT OF DEFENSE OFFICE OF THE INSPECTOR GENERAL 
DRAFT REPORT - DATED JULY 10, 2015 
PROJECT NO. D2015-DOOORC-003.VOOO 
AUDIT: “SECURITY CONTROLS OVER AIR FORCE’S SECRET INTERNET 
PROTOCOL ROUTER NETWORK ACCESS POINTS” 


ICS COMMENTS 
TO THE RECOMMENDATIONS 



(ID RECOMMENDATION A.9.b: 

(U) We recommend that the Comma nder, 
t#) b. Develop procedures to 


heir major 


commands and the Air Force Chief. Intbnnahon Dominance Chief Information Otlicer. 



(IP RECOMMENDATION A.9.e: 
(U) We recommend tha t »h<*Cnn 




(b» <7icn> 

(bin), muses line. (b)(7)lE) 


|in accordance with Chairman of (lie Joint 
Chiefs of Staff Instruction 6510.0! F. “Information Assurance (IA) and Support to Computer 
Network Defense (C'ND) “ February 9, 2011, and Technical Manual Methods and Procedures, 
TO 00-33B-5004, “Access Control for Information Systems," 19 December 2012. 


£ I 

closed. 


'S RESPONSE: Concur. This process has been implemented. Recommend item be 


■ m or i 
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) RECOMMENDATION B.5: 

We recommend that the ( omman(lcr.||Mf|j|^^^^^^^HIc\ clop procedures to 
verify that access forms are accurately compIctcuTclorinicccsn^ranlccl to the Secret Internet 
Protocol Router Network. 


rs RESPONSE: Concur. |||||||f|ilrca(ly follows the AFNF.T process for account 
creation and paperwork following AFMAN 33-282. The Unit C'SL maintains and provides C'S a 
copy of the DD 2875 System Authorization Access Request to review for proper signatures 
before accounts are created. The regulation requires the unit CSL maintain the original 
paperwork, Recommend item he closed. 
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(U) Acronyms and Abbreviations 


AFB Air Force Base 
ARB Air Reserve Base 
ATO Authorization to Operate 
CAT Category 

CIO Chief Information Officer 


1(b)(7)(E) 


CS 

DIACAP 

HBSS 

IA 

IAO 

IP 

IT 

NATO 

NOS 

PDS 

POA&M 

RSD 

SAF/CIO A6 
SIPRNet 


Communications Squadron 

DoD Information Assurance Certification and Accreditation Process 

Host Based Security System 

Information Assurance 

Information Assurance Officer 

Internet Protocol 

Information Technology 

North Atlantic Treaty Organization 

Network Operations Squadron 

Protected Distribution System 

Plan of Actions and Milestones 

Rogue System Detection 

Air Force Chief Information Officer 

Secret Internet Protocol Router Network 
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(U) Glossary 

(U) Active Directory. Provides a method to store data and provide the data to network 
users and administrators. 

(U) Allow-all. A configuration that allows all traffic to flow through without 
security evaluation. 

(U) Authorization to Operate (ATO). Authorization granted by a designated 
accrediting authority for a DoD information system to process, store, or transmit 
information; an ATO indicates a DoD information system has adequately implemented 
all assigned information assurance controls to the point where residual risk is 
acceptable to the designated accrediting authority. ATOs may be issued for up 
to 3 years. 

(U) Boundary Protection. Monitoring and controlling communications at the external 
boundary of an information system to prevent and detect malicious and other 
unauthorized communications, through the use of boundary protection devices. 

(U) Deny-by-default. A configuration in which network traffic, which is not expressly 
allowed, is denied. 

(U) Disable. To configure the enclave firewalls to be routers and allow-all network 
traffic. 

(U) DoD Components. Combatant commands, Military Services, Federal agencies, 
and field activities. 

(U) Enclave. A collection of information systems connected by one or more internal 
networks under the control of a single authority and security policy. 

(U) Enclave Perimeter. Includes those points where remote users of an enclave gain 
access to resources and information within that enclave, or where members of the 
enclave, but not physically located within the enclave, gain access to resources or 
information within that enclave. 

(U) Firewalls. Hardware and software that limits access between networks or systems 
(or both) in accordance with a specific security policy. 
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(U) Gateways. Entry and exit points for data to and from the SIPRNet. 

(U) Host Based Security System (HBSS). An application that monitors, detects, 
and counters against known cyber threats. 

(U) Logical Safeguards. System-based mechanisms such as firewalls, permission 
settings, usernames and passwords, and SIPRNet tokens that are used to designate who 
or what has access to a specific system or function. 

(U) Interim Authorization to Operate. Temporary authorization granted by the 
designated accrediting authority to operate a DoD information system under the 
conditions or constraints enumerated in the accreditation decision. 

(U) Internet Protocol (IP) Address. Identifiers that are assigned to equipment 
connected to the network. 

(U) Network Defense Devices. Network defense devices include equipment used to 
monitor, detect, analyze, and respond and restore activities. 

(U) Physical Safeguards. Locks, guards, and security containers deter or delay an 
adversary's access to the network. 

(U) Plan of Action and Milestones (POA&M). A permanent record that identifies 
tasks to be accomplished to resolve vulnerabilities; required for any accreditation 
decision that requires corrective actions, it specifies resources required to accomplish 
the tasks enumerated in the plan and milestones for completing the tasks; also used to 
document designated accrediting authority accepted noncompliant information 
assurance controls and baseline information assurance controls that are not applicable. 
An IT Security POA&M may be,active or inactive throughout a system's life cycle as 
weaknesses are newly identified or closed. 

(U) Port Security. To electronically lock network ports so that only approved devices 
can use the port. 

(U) Protected Distribution System (PDS). A system used to transmit encrypted 
classified National Security Information through an area of lesser classification 
or control. 
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(U) Removable Media. Items such as compact discs, digital video discs, secure digital 
cards, tape, flash memory data storage devices, diskettes, multi-media cards, and 
external hard drives. 

(U) Rouge System Device (RSD). Device that does not have Host Based Security 
System software installed. 

(U) Security Posture. The security status of an enterprise's networks, information, and 
systems based on information assurance resources and capabilities in place to manage 
the defense of the enterprise and to react as the situation changes. 

(U) Severity Category (CAT) I. Assigned to findings that allow primary security 
protections to be bypassed, allowing immediate access by unauthorized personnel or 
unauthorized assumptions of super-user privileges. An ATO will not be granted while 
CAT I weaknesses are present. 

(U) Subnetwork. An identifiably separate part of an organization's network. 

(U) Validation. Confirmation that requirements for a specific intended use or 
application have been fulfilled. 

(U) Write Function. The ability to download or transfer data from the SIPRNet to 
removable media. 
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Annex 

(U) Annex 

fU) Sources 

(FOUO) Source 1: DoD Instruction 0-3600.02, "Information Operations (10) Security 
Classification Guide," November 28, 2005 (Document For Official Use Only) 

(■F0UO) Source 2: CCRI Summary Report," (Document classified Secret) 

Declassify On: 20241114 
Date of Source: November 14, 2014 

(FOUO) Source 3: Technical Vulnerability Report," (Document 

classified Secret) 

Declassify On: 20241114 

Date of Source: November 14, 2014 

(FOUO) Source 4: CCRI Summary Report," (Document classified Secret) 

Declassify On: 20241209 
Date of Source: December 9, 2014 

(FOUO) Source 5: Technical Vulnerability Report," (Document 

classified Secret) 

Declassify On: 20241209 

Date of Source: December 9, 2014 

(FOUO) Source 6: CCRI Summary Report," (Document classified Secret) 

Declassify On: 20250114 
Date of Source: January 14, 2015 

(FOUO) Source 7: Technical Vulnerability Report," (Document 

classified Secret) 

Declassify On: 20250114 

Date of Source: January 14, 2015 
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Annex 

ftF QUO) Source 8: CCRI Summary Report/' (Document classified Secret) 

Declassify On: 20250211 
Date of Source: February 11, 2015 

( ■ FOUO) Source 9: Technical Vulnerability Report," (Document 

classified Secret) 

Declassify On: 20250211 

Date of Source: February 11, 2015 

(FOUO) Source 10: CCRI Summary Report," (Document classified Secret) 

Declassify On: 20250305 
Date of Source: March 5, 2015 

fl FOUQ) Source 11: Technical Vulnerability Report," (Document 

classified Secret) 

Declassify On: 20250305 

Date of Source: March 5, 2015 

(TOUO) Source 12: '^j|j|gj CCRI Summary Report," (Document classified Secret) 
Declassify On: 20241201 
Date of Source: December 1, 2014 

(FOUO) Source 13: Technical Vulnerability Report," (Document classified Secret) 

Declassify On: 20241201 
Date of Source: December 1, 2014 

(FOUO) Source 14: '{m||| CCRI Summary Report," (Document classified Secret) 
Declassify On: 20241204 
Date of Source: December 4, 2014 

(rOUO) Source 15: '^||| Technical Vulnerability Report," (Document classified Secret) 
Declassify On: 20241204 
Date of Source: December 4, 2014 
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Annex 

(FOUO) Source 16: 'j|||j| CCRI Summary Report," (Document classified Secret) 
Declassify On: 20250108 
Date of Source: January 8, 2015 

(FOUO) Source 17: 'J|||j|| Technical Vulnerability Report," (Document classified Secret) 
Declassify On: 20250108 
Date of Source: January 8, 2015 

( FOUO) Source 18: CCRI Summary Report," (Document classified Secret) 

Declassify On: 20250205 
Date of Source: February 5, 2015 

(rOUO) Source 19: Technical Vulnerability Report," (Document classified Secret) 

Declassify On: 20250205 
Date of Source: February 5, 2015 

(FOUO) Source 20: 'j|jjH|j CCRI Summary Report," (Document classified Secret) 
Declassify On: 20250305 
Date of Source: March 5, 2015 

(FOUO) Source 21: 'jlHH Technical Vulnerability Report," (Document classified Secret) 
Declassify On: 20250305 
Date of Source: March 5, 2015 

(FOUO) Source 22: 'j|j|j|j| CCRI Summary Report," (Document classified Secret) 
Declassify On: 20241117 
Date of Source: November 17, 2014 

( FOUO) Source 23: 'jHHU Technical Vulnerability Report," (Document 
classified Secret) 

» 

Declassify On: 20241117 

Date of Source: November 17, 2014 
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An nex 

(FOUO) Source 24: ‘jHHH CCRI Summary Report," (Document classified Secret] 
Declassify On: 20241203 
Date of Source: December 3, 2014 

(FOUO] Source 25: 'j|jf||H Technical Vulnerability Report," (Document 
classified Secret] 

Declassify On: 20241203 

Date of Source: December 3, 2014 

(FOUO] Source 26: CCRI Summary Report," (Document classified Secret] 

Declassify On: 20250108 
Date of Source: January 8, 2015 

(FOUO] Source 27: Technical Vulnerability Report," (Document 

classified Secret] 

Declassify On: 20250108 

Date of Source: January 8, 2015 

(FOUO] Source 28: 'j|jj||jj CCRI Summary Report," (Document classified Secret] 
Declassify On: 20250205 
Date of Source: February 5, 2015 

(FOUO] Source 29: 'jmm Technical Vulnerability Report," (Document 
' classified Secret] 

Declassify On: 20250205 

Date of Source: February 5, 2015 

(FOUO] Source 30: 'jHf|U CCRI Summary Report," (Document classified Secret] 
Declassify On: 20250313 
Date of Source: March 13, 2015 

(FOUO] Source 31: Technical Vulnerability Report," (Document 

classified Secret) 

Declassify On: 20250313 

Date of Source: March 13, 2015 

SEER - E - T 


Reporl No. DODIG-2015-168 | 75 



S ECRET 


Whistleblower Protection 

U.S. Department of Defense 

The Whistleblower Protection Enhancement Act of 2012 requires 
the Inspector General to designate a Whistleblower Protection 
Ombudsman to educate agency employees about prohibitions 
on retaliation, and rights and remedies against retaliation for 
protected disclosures. The designated ombudsman is the DoD Hotline 
Director. For more information on your rights and remedies against 
retaliation, visit www.dodig.mil/programs/whistleblower. 


For more information about DoD 1G 
reports or activities, please contact us: 

Congressional Liaison 

congressional@dodig.mil; 703.604.8324 

Media Contact 

public.affairs@dodig.mil; 703.604.8324 

Monthly Update 

dodigconnect-request@listserve.com 

Reports Mailing List 

dodig_report@listserve.com 

Twitter 

twitter.com/DoD_IG 

DoD Hotline 

dodig.mil/hotline 
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